Есть FreeBSD 6 и вот такое правило для шлюза в инет:#!/bin/sh
#----------------------------Начало всему----------------------------------------------------------
ipfw -q -f flush
cmd="ipfw -q add"
skip="skipto 7000"
ifout="rl0"
ifuser="rl1"
ournet="192.168.1.0/24"
servip="213.80.100.200"
servloc="192.168.1.1"
sks="setup keep-state"
ks="keep-state"$cmd 1000 allow ip from any to any via lo0
$cmd 1010 allow ip from any to any via $ifuser#-----------------------------------Левые входящие дропаем------------------------------------------
$cmd 1100 deny log icmp from any to $servip in icmptype 5,9,13,14,15,16,17 via $ifout
$cmd 1110 deny log logamount 5 tcp from any to any not established tcpflags fin #via $ifout
$cmd 1120 deny log tcp from any to any in tcpflags fin, syn, rst, psh, ack, urg #via $ifout
$cmd 1130 deny log tcp from any to any in tcpflags !fin, !syn, !rst, !psh, !ack, !urg #via $ifout
$cmd 1140 deny log ip from any to any in not verrevpath via $ifout$cmd 1200 deny log ip from 192.168.0.0/16 to any in via $ifout #RFC 1918 private IP
$cmd 1210 deny log ip from 172.16.0.0/12 to any in via $ifout #RFC 1918 private IP
$cmd 1220 deny log ip from 10.0.0.0/8 to any in via $ifout #RFC 1918 private IP
$cmd 1230 deny log ip from 127.0.0.0/8 to any in via $ifout #loopback
$cmd 1240 deny log ip from 0.0.0.0/8 to any in via $ifout #loopback
$cmd 1250 deny log ip from 169.254.0.0/16 to any in via $ifout #DHCP auto-config
$cmd 1260 deny log ip from 192.0.2.0/24 to any in via $ifout #reserved for docs
$cmd 1270 deny log ip from 204.152.64.0/23 to any in via $ifout #Sun cluster
$cmd 1280 deny log ip from 224.0.0.0/3 to any in via $ifout #Class D & E multicast$cmd 1310 deny log ip from any to any 43 in via $ifout
$cmd 1320 deny log ip from any to any 67 via $ifout
$cmd 1321 deny log ip from any to any 68 via $ifout
$cmd 1330 deny log ip from any to any 81 via $ifout
$cmd 1340 deny log ip from any to any 113 via $ifout
$cmd 1350 deny log ip from any to any 135 via $ifout
$cmd 1360 deny log ip from any to any 137 via $ifout
$cmd 1370 deny log ip from any to any 138 via $ifout
$cmd 1380 deny log ip from any to any 139 via $ifout
$cmd 1390 deny log ip from any to any 445 via $ifout
#-----------------Тут пресикаем эзверей----------------------------------
$cmd 1400 deny ip from 192.168.210.238 to any via $ifout
$cmd 1410 deny ip from 192.168.210.249 to any via $ifout
#--------------------------Заводим инет на натд----------------------------
$cmd 2000 divert natd ip from any to $servip in via $ifout
$cmd 2010 check-state #вот здесь у меня и косяк видимо – при ipfw show, показано, что ни единого пакета через проверку не прошло
#----------------Разрешаем подключения с сервака-----------------------
$cmd 2100 allow icmp from $servip to any out via $ifout $ks
$cmd 2110 allow udp from $servip to any 53 out via $ifout $ks
$cmd 2120 allow udp from $servip to any 123 out via $ifout $ks
$cmd 2130 allow udp from $servip to any 80 out via $ifout $ks
$cmd 2140 allow tcp from $servip to any 80 out via $ifout $sks
$cmd 2150 allow tcp from $servip to any 113 out via $ifout $sks
$cmd 2160 allow udp from $servip to any 113 out via $ifout $ks
$cmd 2170 allow tcp from $servip to any 22 out via $ifout $sks
$cmd 2200 allow tcp from me to any out via $ifout $sks uid root #Это взято с хандбука =)
$cmd 2210 allow udp from me to any out via $ifout $ks uid root
#----------------Этим разрешаем доступ к серваку-----------------------------------
$cmd 2400 allow tcp from any to $servip 22 via $ifout setup limit src-addr 3
#так как у меня шлюз в инет, то ему нужен только доступ к ssh2 =)#----------------------------------то, где скипаются юзвери на нат-------------------------------------
$cmd 3000 $skip tcp from 192.168.210.15 to any via $ifout $sks
$cmd 3001 $skip udp from 192.168.210.15 to any via $ifout $ks #Это привилегированный зверь
$cmd 3010 fwd $servloc,2121 tcp from $ournet to any 21 out via $ifout #Здесь все идет на фтп прокси FROX
$cmd 3020 $skip tcp from $ournet to any 22 out via $ifout $sks
$cmd 3030 $skip tcp from $ournet to any 23 out via $ifout $sks
$cmd 3040 $skip tcp from $ournet to any 25 out via $ifout $sks
$cmd 3050 $skip tcp from $ournet to any 37 out via $ifout $sks
$cmd 3060 $skip tcp from $ournet to any 43 out via $ifout $sks
$cmd 3070 $skip udp from $ournet to any 53 out via $ifout $ks
$cmd 3080 $skip tcp from $ournet to any 80 out via $ifout $sks
$cmd 3130 $skip tcp from $ournet to any 110 out via $ifout $sks
$cmd 3140 $skip tcp from $ournet to any 113 out via $ifout $sks
$cmd 3141 $skip udp from $ournet to any 113 out via $ifout $ks
$cmd 3150 $skip tcp from $ournet to any 119 out via $ifout $sks
$cmd 3160 $skip udp from $ournet to any 123 out via $ifout $ks
$cmd 3170 $skip tcp from $ournet to any 443 out via $ifout $sks
$cmd 3170 $skip tcp from $ournet to any 5190 out via $ifout $ks
$cmd 3180 $skip tcp from $ournet to any 5191 out via $ifout $sks
$cmd 3190 $skip tcp from $ournet to any 1494 out via $ifout $sks
$cmd 3200 $skip icmp from $ournet to any out via $ifout $ks
#--------------------------------Дропаем то, что низя было делать в начале--------------------------
$cmd 4000 deny log icmp from any to any in via $ifout
$cmd 4010 deny log ip from any to any frag in via $ifout
$cmd 4020 deny log tcp from any to any established in via $ifout
$cmd 4030 deny log ip from any to $servip in via $ifout
$cmd 4040 deny log ip from any to any via $ifout
$cmd 4050 deny log ip from $ournet to any out via $ifout
$cmd 4060 deny log ip from $servip to any out via $ifout
#------------------------------Место локации диверта от узверей------------------------------
$cmd 7000 divert natd ip from $ournet to any out via $ifout
$cmd 7100 allow ip from any to any via $ifout
$cmd 9999 deny log ip from any to any#--------------Конец сему-------------------------------------------------------------------
А теперь вопрос:
Что тут не так, учитавая то, что ifpw show не показывает прохождения
пакета через check-state?
Динамические правила создаются и вродеработают нормально.
Сорри не туда залил